practitioner-compartment

practitioner_compartment Validator Documentation
FHIR Compartment-Based Access Control for Practitioner Resources

Intent

The practitioner_compartment validator restricts access to resources explicitly linked to the authenticated practitioner’s FHIR compartment. This ensures practitioners can only interact with data they are directly associated with (e.g., orders they created, patients they treat).

Key Use Cases:

Practitioners viewing lab results they ordered (DiagnosticReport).
Practitioners updating medication requests they authored (MedicationRequest).
Practitioners accessing encounter records where they are the primary provider (Encounter).

Key Features

Role Enforcement:
- Validates that the client has the Practitioner role. Requests from non-practitioner roles (e.g., Patient) are denied.
Compartment Membership Check:
- Confirms the requested resource type belongs to the system-defined Practitioner compartment (e.g., MedicationRequest, Encounter, ServiceRequest).
Reference Validation:
- For create/update operations, ensures the resource references the practitioner’s ID (e.g., MedicationRequest.requester = Practitioner/<id>).

Validation Logic

Step	Action	Error If Failed
1	Check `client_role` is `Practitioner`.	`403 Forbidden` (Invalid role)
2	Verify resource type is in the Practitioner compartment.	`403 Forbidden` (Invalid compartment)
3	For write operations, validate practitioner ID in relevant fields (e.g., `requester`, `performer`).	`403 Forbidden` (Reference mismatch)

Example Configurations

1. Read Access to Lab Reports

{
  "client_role": "Practitioner",
  "entity_name": "Observation",
  "operation": "read",
  "validator": "practitioner_compartment"
}

Explanation: A practitioner can read DiagnosticReport resources only if they are referenced in fields like DiagnosticReport.performer or DiagnosticReport.requester.

2. Create an Encounter Record

{
  "client_role": "Practitioner",
  "entity_name": "Encounter",
  "operation": "create",
  "validator": "practitioner_compartment"
}

Requirements: The Encounter body must include:

"participant": [{
  "individual": {
    "reference": "Practitioner/<practitioner_id>"
  }
}]

Otherwise, the request is denied.

FHIR References

General Compartment Guidance:
FHIR Compartments (Official HL7 documentation).
Resource Examples:
- MedicationRequest.requester
- Encounter.participant

Use Case: Clinic Workflow Integration

A hospital EHR system uses this validator to:

Restrict lab order access: Practitioners see only Observations resources they have access rights.
Audit surgical procedures: Ensures Procedure resources reference the surgeon’s ID in performer.

Error Handling:

A practitioner attempting to update another provider’s MedicationStatement receives a 403 Forbidden response.

Intent​

Key Features​

Validation Logic​

Example Configurations​

1. Read Access to Lab Reports​

2. Create an Encounter Record​

FHIR References​

Use Case: Clinic Workflow Integration​